[Pkg-utopia-maintainers] Bug#1006544: firewall-cmd times out with large blocklists

Michael Biebl biebl at debian.org
Fri Apr 1 15:23:52 BST 2022 

Control: forwarded -1 https://github.com/firewalld/firewalld/issues/933

I forwarded this issue upstream.

Eric, the upstream author, suggested to use ipset for large block lists.
See https://www.epilis.gr/en/blog/2017/04/03/ipset-firewalld/

Regards,
Michael

On Sun, 27 Feb 2022 11:56:09 +0100 Felix Niederwanger 
<felix at feldspaten.org> wrote:
> Package: firewalld
> Version: 0.9.3-2
> 
> ## Observation
> 
> I'm noticing that `firewalld-cmd --reload` crashes when it has to deal
> with a large drop.xml file, as shown here:
> 
> root at debian:/etc/firewalld/zones# time firewall-cmd --
> reload                   
> ERROR:dbus.proxies:Introspect error on
> :1.28084:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException:
> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
> causes include: the remote applicat
> ion did not send a reply, the message bus security policy blocked the
> reply, the reply timeout expired, or the network connection was broken.
> Error: Message recipient disconnected from message bus without
> replying              
>                                                      
> real    15m2.633s
> user    0m0.273s
> sys     0m0.045s
> 
> 
> root at debian:/etc/firewalld/zones# systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon       
>      Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
> vendor preset: enabled)
>      Active: failed (Result: signal) since Sun 2022-02-27 10:46:57 CET;
> 27min
> ago                                                                    
>                                                                   
>        Docs: man:firewalld(1)
>     Process: 33724 ExecStart=/usr/sbin/firewalld --nofork --nopid
> (code=killed, signal=KILL)  
>    Main PID: 33724 (code=killed, signal=KILL)
>         CPU: 15min
> 20.336s                                                                
>                                                                        
>                                                       
> 
> Feb 27 10:31:34 debian systemd[1]: Starting firewalld - dynamic
> firewall daemon...
> Feb 27 10:31:35 debian systemd[1]: Started firewalld - dynamic firewall
> daemon.
>  
> Feb 27 10:46:57 debian systemd[1]: firewalld.service: Main process
> exited, code=killed, status=9/KILL
> Feb 27 10:46:57 debian systemd[1]: firewalld.service: Failed with
> result 'signal'.
> Feb 27 10:46:57 debian systemd[1]: firewalld.service: Consumed 15min
> 20.336s CPU time.
> 
> 
> ## Reproducer
> 
> Find attached to this email my drop.xml list. I tested this bug in a
> fresh VM running Debian 10 with all installed updates.
> 
> * Put attached drop.xml into /etc/firewalld/zones/drop.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20220401/d115b60c/attachment.sig>

More information about the Pkg-utopia-maintainers mailing list